Posted
by
samzenpuson Sunday July 17, 2011 @11:33PM
from the danger-danger-danger dept.

epee1221 writes "Several security professionals released a paper raising objections to the DNS filtering(PDF) mandated by the proposed PROTECT-IP Act. The measure allows courts to require Internet service providers to redirect or block queries for a domain deemed to be infringing on IP laws. ISPs will not be able to improve DNS security using DNSSEC, a system for cryptographically signing DNS records to ensure their authenticity, as the sort of manipulation mandated by PROTECT-IP is the type of interference DNSSEC is meant to prevent. The paper notes that a DNS server which has been compromised by a cracker would be indistinguishable from one operating under a court order to alter its DNS responses. The measure also points to a possible fragmenting of the DNS system, effectively making domain names non-universal, and the DNS manipulation may lead to collateral damage (i.e. filtering an infringing domain may block access to non-infringing content). It is also pointed out that DNS filtering does not actually keep determined users from accessing content, as they can still access non-filtered DNS servers or directly enter the blocked site's IP address if it is known. A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server and that the Internet must not be allowed to 'decay into a lawless Wild West.' Paul Vixie, a coauthor of the paper, elaborates in his blog."

The internet is the wild west, but it is far from lawless... it just so happens that there are very few laws.

One of those laws is the trustworthiness of DNS. The proposal at hand is actually one that makes the internet MORE lawless, not less, as DNS falls utterly as the (relatively) trustworthy backbone of the internet it has been until today.

Who would knowingly point to a DNS server that might mislead them after this is passed? I sure wouldn't.

The vast majority of Internet users doesn't know their DNS, they probably don't even know what DNS is. They just open their browser (better known as "the Internet"), enter www.slashdot.org and expect to be able to read News for Nerds, Stuff that matters. Maybe not the best example but I bet you get the point.

the point is that will change in about 3 days across the USA if the USA tries this. It's not the first country to try DNS filtering, and perhaps despite what recent history might lead one to believe, americans aren't significantly more stupid than people in other countries, which nowadays routinely route around incompetent government/corporate attempts to censor the net.

And it is so just because the DNS infrastructure worked by very unsophisticated rules - good enough for everybody - unsophistication which allowed the rules remain hidden. Break them and more people will start looking into how to mend them in their own way - one may not like some ways of mending.

What it is is bullshit. There would be directions floating around everywhere written at a second grade level on how to do it. If they couldn't figure it out from there they'd ask that tech suave friend or relative to do it. Linux would come pre-configured to hit OpenDNS.

Where in the problem lies is that half the instructions floating around would be pointing to compromised servers. Thus by eliminating the trust aspect that is key to DNS working and making DNSSEC essentially illegal they're going to create exactly what they claim to be trying to prevent, turning the internet into a lawless wild west. I find it absolutely amazing that congress is going to pass a law that will make implementing security measures on the internet illegal. Tells you how deep our government representatives are in the pockets of the RIAA/MPAA crowd.

A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server and that the Internet must not be allowed to 'decay into a lawless Wild West.'

Hmmmmmmm. Let me rephrase that differently.....

An inter-office memo from Microsoft was recently released with a statement by an executive arguing that the typical user lacks the expertise to choose a different browser and that apathy and ignorance will allow the Internet to continue to be dominated by Internet Explorer and that the Internet will not devolve into a Wild West of open source competitors taking away market share and that governments and states will not get involved via lawsuits and legislation to affect Microsoft negatively .

You screw around with DNS too hard and you will find that people will fight back. Of course their warnings about fragmentation will most likely be true very quickly. How much of an excuse does China need to form its own root servers and DNS? It would certainly only help them to create and control DNS resolution and to ban all DNS queries to outside networks period. The EU will probably form its own, and interestingly, will probably pick up well over half the US market.

Seriously? Would you choose a DNS "network" that bypasses due process and exposes you to impossible business risks for you and your customers, or a DNS "network" operated without such risks?

When installing IE9 now I can see options on changing default search engines. You can choose default programs now too. Did you think you would see that 5 years ago?

I am willing to bet that if it gets bad enough, even router manufacturers will start giving choices and that open source browsers themselves will start making it easy to configure a computer to use alternate DNS servers, even if it is just for the browser itself.

So far, they have not affected enough people yet, not all that many in actuality, but how much are we arguing about it right now? All they have done is stare at the hornets nest, just wait till they actually throw a rock.

The vast majority of Internet users doesn't know their DNS, they probably don't even know what DNS is. They just open their browser (better known as "the Internet"), enter www.slashdot.org and expect to be able to read News for Nerds, Stuff that matters.

Typical users lack the expertise, because up until now, they didn't need it. I assure you, they will gain this expertise rather shockingly fast. The only way to motivate "typical [l]users" to learn something new is to block something they want. Years ago typical users didn't know how to download HTTP warez, because they didn't understand ZIP files. Years ago typical users didn't know how to access Napster/Kazaa/whatever. Years ago typical users didn't know what a Bit Torrent client was, or why they needed one. Users learn what they need to in order to get what they want.

Indeed. Funny thing, this requires judges and lawyers being woven into the fabric of internet - I don't like the idea.

And politicians.

I wasn't forgetting them... just that they seem to be already entangled in/with the internet - ever since the somebody "explained" them the internet is like a series of tubez [wikipedia.org]. To date, on purpose or not, the confusion persists.

The internet is not a lawless wild west. It's something our governments love to perpetuate because they notice that their local laws mean jack in a global network. It is lawless from their point of view since they are used to governing every part of your life, which they simply cannot do globally.

But lawless it is not. The difference is not that there is law in meatspace and none in the internet. The difference is that different laws apply when you're dealing with the internet. And with different I don't me

The typical user knows exactly as much as they need to (or slightly less) in order to go about their business.When schools and businesses started filtering video/social networking/etc the "typical" user was introduced to web based proxies.If the **AA manages to push through DNS tampering, the typical user will be introduced to alternative DNS servers and even more proxies.

In particular, because these sorts of things would get asked about and talked about. People would learn "Just enter these numbers under DNS and stuff will work again," and they'd do it. Setting DNS servers is not complex, users can easily be taught how to do it, just nobody bothers because they needn't do so. DHCP hands them out and it makes sense to use the ones your ISP provides as they are usually the fastest for you. However it isn't some major technical feat to enter the numbers in the box. There would be sites out there listing unfiltered DNS servers and people would just copy and paste.

1. That would would for like a week until someone id10t in CONgress decides ISPs simply have to redirect all tcp/53 or udp/53 traffic to a compliant DNS server. which will of course give rise to plenty of shareware/donationware DNS proxy applications that let you point your system nss library resolver at localhost, and then that app turns around runs DNS on some other port, perhaps even with an SSL layer to thwart packet inspection.

2. The other issue is DNSSec. I don't don't agree with the TFA that this p

Even non-typical users are screwed if all the DNS traffic is redirected to the ISPs server, which is sometimes the case. I know a VPN or port tunnel of some kind to another bit of the net can get around that but that's not really trivial and requires collaboration from somebody that doesn't have redirection.

Greetings and Salutations....
Why does this seem like one of those "feel good" laws that politicians pass to get brownie points with their followers, rather than to actually address and fix a problem?
I am more and more convinced that attempts to regulate the Net are a bad idea, and, any official that attempts to do this should be voted out of office or recalled.

That's the intent. To create a law that addresses one political issue while at the same time creating several new problems. THIS IS BY DESIGN. It's the political gift that keeps on giving back to legislatures. It's purely justification to expand the government at the expense of public tax dollars. How in the fuck this is news to anyone proves we still live in a sick, sad world. It should be ingrained into every child from birth that large government = evil!

Adding a little from the quote that got cut precariously close to out of context:

“Here's the bottom line: We rely on the Internet to do too much and be too much to let it decay into a lawless Wild West. We are confident that America's technology community, which leads the world in innovation and creativity, will be capable of developing a technical solution that helps address the serious challenge of rogue sites,” said Paul Brigner, chief technology officer at MPAA.

Such a blanket statement is nonsense. In the UK the National Health Service is a massive government run institution and despite its problems is still many times better than what private healthcare in the US can deliver. The public is broadly in favour of expanding it and pumping in more money, so much so that all parties at the last election declared their intent to shield the NHS from spending cuts that every other public institution would have to bare.

First, the idea of a russian invasion into any part of europe is laughable. Second, no one is advocating getting rid entirely of the US military.

The point is that it would be a good idea to stop letting the war industry run the US. Every time the CxOs needs a new yaught/villa/whatever, they send some kickbacks to their friends in high places, and a war on $EVIL is started and bilions are spent on weapons etc.. Keeping a MAD-capable nuclear arsenal and a few carier groups operational isnt the same as going o

The typical users will quickly learn how to set their DNS providers if this comes to pass.

Say rather that the users who are interested will quickly learn.

ISPs will not be able to improve DNS security using DNSSEC, a system for cryptographically signing DNS records to ensure their authenticity, as the sort of manipulation mandated by PROTECT-IP is the type of interference DNSSEC is meant to prevent.

We shouldn't forget the massive amounts of users that are oblivious to nearly any of this. DNS, IP Addresses, Routing protocols and all the rest of the "magic" of the Internet is well past their horizon.
Please keep in mind how reasonable this would appear to the average Jane and Joe Six-Pack.

The measure allows courts to require Internet service providers to redirect or block queries for a domain deemed to be infringing on IP laws.

On the surface this looks like a great thing. Understanding the technology or anything past double-clicking the blue "e", or perhaps clicking a link in

They will. Why? Because something that worked stopped to work and they know that it did work and want it to work again.

So what will they do? Simply shrug and go "oh well, 'twas great while it worked"? I kinda don't think so. Instead, they'll go to the board they frequent (which isn't in any way a "filesharing" board, just some... whatever, parent's info exchange board, go to the offtopic section and ask what's wrong with their computer 'cause they can't see movies anymore. Since they not only do not know h

Erh... you know an ISP that has the resources to block every single "open" DNS server out there? I mean, you ARE aware that pretty much any IP address could host one, right? That it's trivial to run one on your server and that it's equally trivial to use it? ISPs would be quite busy catching up with their blocklists and keeping them up to date as DNS servers pop up and close down.

Plus, it's virtually useless. Should for some odd reason they find a way to block "rogue" DNS servers, some tool will come into e

That may be true, but I've seen otherwise relatively technically-illiterate users solve problems - like the ones this may cause - by simply following tutorials. They may not *understand* what a dns server does, but if they can follow instructions, they can fix the problem.Also, don't underestimate the power of friends providing help - One semi-knowledgable user + Google can help dozens of users to make the switch if needed.

As such, I think most freeloaders & normal users will end up changing DNS if need

How can that be a good thing by any means? "Deemed to be infringing" is extremely broad. I've had cease and desists sent to my own website for MP3s of my own music which I own entirely. With this law, they don't even need to attempt to prosecute me. They just file notice with the court that my domain is "infringing" and suddenly my hits go to 0. I have no right of reply as I've never been served.

I intend no personal insult, but you seem to forget that what the US courts deem as "infringing" draws no parallels to actual international copyright law. For example, a site which contains no pirated material but contains links to it, is considered as infringing under US copyright laws (see DMCA). If you haven't noticed, the MPAA and RIAA will stop at nothing and have no qualms about how many people they inconvenience. Baidu.cn contains an MP3 section. Does it host MP3s? No. Does that matter to a court which orders all ISPs to block access to Baidu as a result? Of course not.

This law like this gives the MPAA the legal right to have Google.com blocked until it removes all links to pirated material. I don't believe they'd hesitate for a second. Although TBH, they probably need it, in order to search for more meta sites which may or may not link to "deemed infringing" material. Like my personal music.

While of course, this horrific scenario may not occur, the point is, this will allow the MPAA to go nuts. They don't care if they knock out 10,000 sites like my own. They don't have to serve me, so there's no case to win. And when they get it wrong, I can't sue the MPAA, because the MPAA didn't make the "ruling", the court did.

They'll happily have Metacafe block because some video has a soundtrack they own, or have any NNTP Usenet provider closed because, despite all their legal offerings, they can be deemed to be serving infringing material. A Safe-Harbour doesn't apply here as they're not actually filing a DMCA takedown. They're just having the court look at all the pirated material and say "this means ISPs have to block them." Goodbye Giganews. I'm sure such sites can go through and remove all material deemed infringing, but exactly how do you go about doing this? MPAA doesn't care - they only have to prove one instance of pirated material. Yet before, say, Giganews can file an appeal, they have to go about removing all potentially infringing material from their usenet mirror? For that matter, how does Google go about removing all links to "potentially infringing" material from their servers?

The typical users will quickly learn how to set their DNS providers if this comes to pass.

Say rather that the users who are interested will quickly learn.

And the ones that are hit by such filtering are probably also the ones that are interested to route around it. If only by posting on their local message board "The Internetz seem broken, I can't reach The Pirate Bay any more!", likely quickly replied to by someone giving some overseas DNS and telling them how to change their settings to use that one. The ones that aren't affected will not change their settings, but then they're not affected to begin with so no reason for them to change it in the first place

The typical users will quickly learn how to set their DNS providers if this comes to pass.

Unfortunately, some unknown; but nontrivial, number of them will learn to set their DNS providers by obtaining from an incrementally more clueful friend and running "l33tt0rr3ntz_DNS_Crack.exe". This will, in fact, recofigure their system's DNS settings to point to somewhere in the free world; but it might, well, invite a few buddies in...

My nieces and nephews all got MacBooks issued to them from their school. Just like the ones in that webcam scandal. So the school had a firewall installed that was supposed to block inappropriate sites. It was amazing how fast people, who had never owned a computer before, learned how to use a proxy, and learned to put that s on the end of https because apparently the firewall didn't filter sites using ssl. And one of the first things they learned was electrical tape defeats the webcam.

Cousins got iPhones. It was amazing how people who didn't even know what firmware was learned the concept of jailbreaking. No, they didn't all know how to do it. But they knew how to go on Facebook and ask "does anybody know how to jailbreak an iPhone"?

The moral of this story is, if you try to take it away and there is a way to get it back, they'll find it even if they have no idea how to do it right now. It's not that they're incapable of learning. It's they have had no reason to up until now.

It looks like PROTECT-IP will force Google to delist those sites anyway, once off the indexes, it will be very hard to find them, DNS blacklisted or not. That could cause a secondary underground internet to rise, with their own "black DNS" servers and search engines.

Don't over sensationalise it you will just go to a site that links (possibly using the direct ip address) to another site that has no 'illegal' content but is outside the US that has an IP link to the desired site. Provided the IP is static enough no DNS is ever needed. Just add more links as the law tries to catchup.

I would think this process could be made automatic with various scripts. Inventing a new DNS standard will not be fast enough to catch up with some obvious and already implemented web 'standar

Don't over sensationalise it you will just go to a site that links (possibly using the direct ip address) to another site that has no 'illegal' content but is outside the US that has an IP link to the desired site. Provided the IP is static enough no DNS is ever needed. Just add more links as the law tries to catchup.

Name-based hosting makes it a little more complicated, since (as far as I am aware - please correct me if I'm wrong) URL's don't currently have a way of specifying the domain and the IP address at the same time. You can get a link to the correct host, but because you used an IP address instead of a domain name the server will present the wrong website.

You are right (i now remember reading something) but would think there would be workarounds if there is reasonable demand to bypass DNS. I think any site with https has to have its own ip address and IPv6 may make this less of an issue.

Trying it out I would think websites may have to be modified or use browser add-ons, you can reach the website but it wont let you browse using the IP.

So if they do force Google to de-list, what is to stop Google continuing to list them on it's local sites outside the US? So everyone switches to using Google.co.uk? Or Google could move it's.com servers outside the US like it did with China.

You can be sure Google will be dong it's best to let people find those sites, as not only does this censorship go against the Google creed but it also knows that if people can't find what the want on Google they will switch to another search provider and bang go Google

They won't even need to know what a DNS is. They'll just download the 'get your free music' extension for firefox. Which will, of course, require them to download a browser that isn't IE, but their nephew/sister/uncle/cool geek in their dorm knows how to do that stuff so its OK.

Sort of lowers the technical bar for circumventing this crap. It'll also move the fight from DNS to the browser level, which will be fuggin' awesome.

Typical users don't know what a phone number is and can't remember one, nor their driver's license numbers, home addresses... oh wait, yeah they can.

The big fail here is that they truly underestimate "typical users." People will learn and teach each other what they will in order to achieve their ends. I think at no time in human history did anyone say "oh, I'm not smart enough to get what I want, so I won't even try." And yes, there will be people who will write browser add-ons to route around the damage

Meanwhile a typical network admin on their first day at work is perfectly capable of redirecting all DNS traffic to their server even if the user is asking for DNS information from Google at 8.8.8.8. Some internet service providers already do this and use it to insert annoying advertisements instead of the expected error messages when an address is not found.

The really fun part is that this actually takes away some government control. Monitoring of DNS lookups at your ISP is a useful way for the feds to track what sites you're visiting. By forcing you to use IP addresses directly they're cutting out the middle man and it will be harder to track you.

No ISP I've ever worked at logged DNS requests and responses. Not for law-enforcement purposes, anyway. All your usage bills are based on traffic crossing the border routers - you can rest assured the src and dst IPs on every single one of those packets is recorded and linked to your account.

And this will immediately change and we'll quickly find a way around it, since they want users to visit their places. If users cannot use their site because their virtual hosting system depends on the Host: info, we'll quickly see "servers" pop up that are reachable by their IP Address that doesn't do much but bounce the connection to the correct server with a fitting Host: info.

I sent my senator a short message detailing many of these concerns about the PROTECT-IP bill. You might be interested in her response.... WARNING: Don't read any further if you still have hope that senators can understand and address technology issues....

Dear Friend:
Thank you for contacting me regarding the Federal Communications Commission's actions relating to the openness of the Internet. I welcome your thoughts and comments.

The Internet is a valuable tool that facilitates business, education, and recreation for millions of Americans. In 2009, an estimated 198 million Americans had access to the Internet. I am committed to ensuring that consumers continue to benefit from the Internet as an open platform for innovation and commerce.

Instrumental to the success of the Internet is the long-standing policy of keeping the Internet as free as possible from burdensome government regulations. Increased investment in upgrading and expanding America’s communications infrastructure, and, in particular, new broadband networks, will ensure that all Americans have access to affordable high-speed Internet. However, in my judgment, intensified regulation of the Internet, such as government-mandated treatment of data, would stifle competition and would decrease the incentive for network operators to invest in critical infrastructure.

The case for additional broadband regulatory authority, or “net neutrality,” has not effectively been made. Broadband investment began to truly flourish when the Federal Communications Commission (FCC) made a decision in 2002 to remove advanced communications technologies from the antiquated common carrier regulatory framework. However, advocates of a larger regulatory footprint have continued to call for net neutrality since 2006.

Unfortunately, the FCC chose to respond by beginning a new proceeding that would reverse the 2002 decision to treat advanced communications services with a "light touch" regulatory approach. On December 21, 2010, by a 3-2 vote, the FCC adopted new rules meant to impose a net neutrality regime on broadband services. I believe these new regulations represent an unprecedented power grab by the Commission to claim regulatory jurisdiction without Congressional authority. This FCC action threatens investment and innovation in broadband systems, places valuable American jobs at risk, and may subject communications companies to new legal liability in the management of their networks.

In response to the FCC's heavy-handed order, I intend to explore every option available to me to keep the Internet free from such burdensome regulations, including introducing a resolution of disapproval in an effort to repeal the new rules. As the Ranking Member of the Senate Commerce, Science, and Transportation Committee, which has jurisdiction over the FCC, I will continue to work to prohibit further net neutrality-based regulations.

I appreciate hearing from you, and I hope that you will not hesitate to contact me on any issue that is important to you.

PLEASE DO NOT REPLY to this message as this mailbox is only for the delivery of outbound messages, and is not monitored for replies. Due to the volume of mail Senator Hutchison receives, she requests that all email messages be sent through the contact form found on her website at http://hutchison.senate.gov/?p=email_kay [senate.gov].

If you would like more information about issues pending before the Senate, please visit the S

But no, she did not send the wrong response. If PROTECT-IP does not pass, how better to advance the same cause than to add it as further regulation under the umbrella of net neutrality? Once you are mandating how an ISP run "Ze Tubes" it's a very short hop away indeed from telling them they also need to obey a blacklist of IP addresses to be provided by the government... indeed that's probably the ot

It certainly affirmed my hunch that you don't have a clue what you're talking about or trying to regulate. In case you didn't notice, PROTECT-IP doesn't have anything to do with net neutrality. My guess is that your henchman just saw "oh, teh intarnets" and sent out the matching form letter, neither understanding what was said nor understanding what he or she sent as a reply. I suggest firing him or her and using a program as replacement that checks for certain catchwo

I sent my senator a short message detailing many of these concerns about the PROTECT-IP bill. You might be interested in her response.... WARNING: Don't read any further if you still have hope that senators can understand and address technology issues....

First of all, let me extend to you my deepest sympathies on your unfortunate status as a Texan. We're all hoping for your speedy recovery from this tragedy.

Secondly: "Kay Bailey Hutchison" is all you need to read to know that your carefully-phrased attempt at intelligent communication with your elected Senator was a thoroughgoing waste of time and effort. Texas Republican, former governor, and "honest politician" (i.e. - she stays bought).

We (the rest of the world) really don't care. We already do not use backup services or cloud services based in the US because of your government. There are lots of alternatives. Soon we won't use DNS with US based roots.
At some point only US citizens will be hampered, held back, and harassed by their funny little leaders and their funny little laws.

Unfortunately, some of our politicians (Like the current Canadian Prime Minister) seem to think that we will be a so much better country if we simply do every stupid thing that the American government has already done, no matter if it actually worked. "it's an American idea, it has to be good for us".
I fear the next 4 years.

While the researchers make some good points from a technical perspective there really are more fundamental issues with PROTECT-IP. The proposed law would grant the government power to selectively censor websites without due process. Those are some pretty basic violations of the constitution and a huge threat to freedom of speech. And the reality is, the government is already doing this without the PROTECT-IP act.

Yes! Once they get trains going over 50 MPH on the wild frontier of the Information Superhighway tubes then you have all sorts of stuff going on, like women's uteri being ripped right out of em. We can't have that. It's the internet and we need porn on it. For that we need women with intact uteri.

Interesting that they mention ISP's would block your ability to use other DNS servers. I don't think that, in the end, there is really anything the ISP could do to completely stop you. The worst they could do is block UDP port 53, but that wouldn't stop you from using any kind of tunneling software, especially if you did that tunneling over a secure socket.

What's really sad is that as of right now, you couldn't get more than 20% of all Facebook users to understand what secure tunneling is, so those that do understand it will just make it a one-click-fix for the other 80%, bypassing all of the ISPs' hard work.

Really it reminds me of Sony and the PS3 all over again. Most of Sony's PS3 gamers don't know the ins and outs of security hacking, yet Sony managed to piss off that 1% of users that do and open the flood gates for another 20% to follow a video tutorial o

And this is exactly why there is little, if anything, one can do about this problem. All it takes is ONE person who knows how to bypass, crack, circumvent or otherwise nullify tools and schemes of protection, blocking or other meant to keep users from doing what they want. Outlawing creation or use of such tools is not going to change much either besides making everyone a criminal. Who in turn will then just care less about legality because when you broke one law, why bother with the rest? If you already br

"A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server and that the Internet must not be allowed to 'decay into a lawless Wild West."
if you type in google for example "how to change dns servers" how many tutorials will come back with exactly How to change them? Just cause some people are not smartest people in the world with a computer there is always an article or tutorials out there written in the "how to for dummies" way.

Of course they can configure it, if they know what it is to begin with.

DNS is pretty deep down in the Internet configuration, not something the general user should have to deal with. Bittorrent is so commonplace these days that most users at least know about bittorrent, and many may even actively use it. Now of course if a law like this gets implemented then that may change very quickly.

A fork of the DNS system is something that I can't wait to see happening. I believe that the changes that ICANN is doing are precisely mean to obstruct the adoption of additional independent TDLs, and honestly if the DNS is not forked soon, attempting to do it later is going to create fragmentation and confusion, specially when ICANN sell some of the independent TLDs that belong to the alternative DNS systems nowadays. I am also, mmm, I'll go with angry, at the ICE taking away domains of companies that oper

A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server and that the Internet must not be allowed to 'decay into a lawless Wild West.

dns filtering came to turkey 5 years ago.

EVERYONE knows how to bypass it now. and i mean everyone who is using internet - the equivalent of the 'mom in idaho' knows how to bypass it. her son, relatives, someone from neighborhood comes and bypasses it for her. people learned what 'opendns' means here. the term 'proxy' have become an everyday term, even in among the tech illiterate crowd. people ask about 'good proxy' to each other. (people learned about it when the courts started to ban i.p.s).

so, random 'mom in turkey' is able to do that, but the organization that represents all movie producers in america shits about otherwise ?

really. what kind of people are you letting you run your country and corporations and corporations' lackey organizations ? idiots ? morons ? bastards ? i think the last one is more likely. (i am not able to bring myself to say ngo regarding mpaa after that kind of idiocy)

really. what kind of people are you letting you run your country and corporations and corporations' lackey organizations ? idiots ? morons ? bastards ? i think the last one is more likely. (i am not able to bring myself to say ngo regarding mpaa after that kind of idiocy)

Can I say "all of the above?"

Actually, I can think of a few more colorful metaphors to describe the individuals in power here in the US, but they're highly inappropriate in mixed company. I'm also not so sure they'd adequately describe how

First of all ISPs have to stop lying about the A record when you look up a filtered domain (Seems like an oversight if that practice is even legal). Instead they need to send an error response back to the user. I'd suggest a server error message (since "your government don't want you to see this" wasn't included as an error code when DNS was designed).

What the client will do when getting this error is to use the DNS search path provided by the DHCP server along with the DNS server IP. Since the ISP controls the search path, they can ensure it is a domain under which they can provide valid DNSSEC protected domains. Then they make it so that every filtered domain exists as a subdomain under the DNS search path and other domains don't exist there.

Fine. But what if somebody in response to "Protect IP" builds a distributed anonymous DNS system on top of, say, Gnunet? Perhaps an implementation with a simple one-click installer? Heck, someone might even write a Firefox extension for it.

Of course, I'm speaking hypothetically here, because the idea of creating a decentralized DNS system with one-click installation is so crazy and absurd that nobody would ever pursue it, right?

I'm worried about the 'regular' DNS servers out there, sure, but what scares the crap out of me is the root servers.If this act will require tampering on the root servers, we're all f*cked.

as to the normal DNS blocking, Denmark has had this for a few years, and it's a travesty, innocent domains land on the filter list all the time, and it's virtually impossible to get off it, and the list isn't public, so you're forced to all kinds of shenanigans to find out if you ARE on there or not.

Soon DNS-Servers will come into existence located in some country the name of which ends in -stan where the law enforcement doesn't give a shit about IP laws that will carry those names with the correct target. Put that server into your resolution list on top and you'll always get the correct location.

Of course, this opens you to DNS poisoning attacks. But then again, how this idea is a big blow to security on the internet is the whole point of this thread.

A pesky thing, a big information network the free people of the world can use, if you are trying to control them all. So why not break it and fragment it with idiot laws? It will not take long to control it completely once it's properly "broken". They aren't as dumb as you think they are.

But they don't need that knowledge. Their tool will have it for them. So you cannot access TPB? No problem. Within nanoseconds a tool will spring into existence that uses a non-filtered DNS server for you, provide the IP-Address and feed it to your application. Hell, why not make it a browser plugin? And if that fails, how about wedging it into the DNS request routine?

In short, this will accomplish nothing while being a gapping security hole in the making. First for the already mentioned problem with DNSSEC

The point is that every automated blocking can be circumvented with a tool. And using a tool means being able to double click an icon on your desktop, an ability that I guess everyone has.

People won't know this tool exists? They will. Boards, friends, even YouTube how-to videos will exist within seconds of this blocker's launch. If infrastructure is needed, like free DNS servers, it will exist long before this blocker becomes active.